Make edits to Best Practices for HISPs document: · Clarify that an organization only needs to sign a BAA with one external HISP, with a chain of connected HISPs allowing for network wide exchange · Add language specifying that this document applies to the HISP as an organizational model, not a function that is internal to a covered entity · Explain that discussion about the individual was left out intentionally because the individual and traffic to/from the individual is well recognized within HIPAA Then send around fro Call for Consensus

His first concern is about best practices for the Stage One MU individual use cases

Need to make individual case is covered in terms of HISP responsibility

During an earlier phase of the Direct Project, they were going to prioritize Stage One, provider to individual, but were not going to prioritize the individual back to the provider

Feels the individual to the provider use case has implications from a best practices perspective that the Best Practices WG should provide guidance for HISPs about

Arien Malec

Are the confining issues the issues of legal agreements, security, privacy, transparency?

There seem to be other ID assurance, workflow issues involved

Are there any particular edits you’d like to make to makes sure the current Best Practices for HISPS document covers individuals more?

Trying not to address ID issues in this document

This is about protecting privacy, security, transparency as a HISP

Rich Elmore

Hasn’t spent the time necessary to develop recommendations, but he believes there would be some that would apply in those categories

Arien Malec

So far this document is not talking about individuals

HIPAA may not even talk about business associates of individuals

Gets complicated easily, he isn’t sure the law is clear

Rich Elmore

Agrees with the summary

His other concern is that when a provider sends info to an individual, what is our best practice position in terms of disabling or enabling a reply that was not Stage One for this project?

Arien Malec

Suggests it is a different topic about ID assurance and workflow for individuals and not about privacy, security, transport

Rich Elmore

If a HISP gets a response back from individual, will it pass through?

Arien Malec

If operating in agent mode, will apply consistent models to accept or reject transaction

Any particular workflow needs to be done at the provider level

Definition of a business association: provides functions or activities on behalf of the covered entity

Which makes dealing with the individual in really confusing in this document

David Kibbe

Asked if all WG members understand the amended HIPAA business association definitions?

He doesn’t have them in front of him, but the idea of a business association and their responsibilities, obligations has significantly increased as a result of the NPRM

Wants to make sure people were not criticizing circa HIPAA 2009

Arien Malec

Right but now the NPRM has no enabling mechanism

When we get to a final rule, will need to revisit this document

Rich Elmore

His second comment was about making sure healthcare stakeholders have a real easy way to be able to sign up for the Direct Project, and to connect to others without a lot of bureaucracy

In an ideal situation, a provider would sign up once with a HISP and that HISP is in turn responsible for having the right kinds of agreements with other HISPs

It would be a single act of signing up with a single HISP

If we do that we have a shot at rapid and wide adoption

Or else providers are almost forced into doing agreements party by party

Arien Malec

Goal of the document was to get away from that

Acknowledges that is the world we are trying to get to

HIPAA provides responsibly and strong protection to individuals for the privacy and security of their health information through covered entities

HIPAA then extends those provisions to make this simpler, to business associations

Complication: really strong protection for covered entities, strong for business associates, but if you have a transaction for a third party between business associates, gets murky

As David Kibbe notes, recent NPRM changes may make it less murky

Definitionally, the HISPs for state immunization aren’t a business assoc, which is why he added language about “equivalent contractually binding legal agreements”

Reason to limit in this way is to get away from the need for reciprocal arrangements

If you go beyond the boundaries of HIPAA, you run into more murky nuance

Very complicated, but those complicated situations happen often

Rich Elmore

Shouldn’t be ambiguous

Should go back to ONC

Arien Malec

Which is great, ONC can give governance guidance and regulatory guidance, but the process for doing both of those is long-term, not short-term, not likely to help with Direct Project pilots

Don Jorgenson

In a HISP to HISP situation, would it make sense to provide guidance for what provisions between them would allow for reduction in number of documents?

Arien Malec

Ideally these transactions don’t require reciprocal legal agreements in order to function, because that model is unscalable

If we want an open dynamic market for information exchange and high levels of trust, transparency, and security, it would be great to not have reciprocal agreements

Don Jorgenson

If there is guidance on that, and the HISP agrees to provisions and to defining important criteria, then they have a pivot point to move toward from each one

Arien Malec

The sender alone is responsible, which helps us a lot in policy

Next steps: Needs to do a second take, all seem to agree on overall principles, but don’t see a need for lots of reciprocal agreements

Round the Room: Rich Elmore’s Comments on Best Practices for HISPs

Laurie Tull

No comment

Doesn’t want this to be “big H big I big E,” should be simpler

If I’m a user and I have a relationship with a HISP, that should be enough, so that I can communicate with another provider

John Williams

HISP breach and breach reporting is also important

Michael Firriolo

No comment

Karen Witting

Read that the certificates would be used as the basis of trust, so that the sender and receiver have an anchor that is the basis for trust, and that anchor determines which policies both sides agreed to

Someone has to resolve that I’m sending/receiving to endpoints, the senders have to have a level of trust that is compatible

Arien Malec

With regard to certificates, the main trust issue is

a) Are you the you I think I’m sending to?

b) Am I the me you think you are receiving from?

c) Do I have confidence my mail isn’t being opened and nothing else unknown is happening in flight?

A lot of what we are discussing, HIPAA should be able to apply to all parties and transactions

*

Don Jorgenson

No comment

Patrick Pyette

No comment

Mark Stine

No comment

Gary Christensen

Requirement: should be scalable

Second, not so clear if we end up needing to have HISP to HISP agreement, not as much of a non-starter

Arien Malec

Neither of those two principles are set out in the preamble, he will add

Greg Chittim

No comment

John Feikema

Gary’s comments are aligned with mine in terms of what the larger issue is

HISP to HISP agreements might be problematic, not a problem if they can sign a common agreement, much like the DURSA

Pat Pyette

First, HIPAA is very focused on PHI; does this document intend to do the same?

We have to make sure that PHI is either called out very specifically, or broaden the definition to include all kinds of personal info

Arien Malec

Interesting, because the protected data has a definitive definition under HIPAA< but there may be a broader spectrum of data that needs to the same protections as in HIPAA

Pat Pyette

HIT Policy Committee Is coming out with recommendations and will continue to come out with recommendations

Direct Project documents should say “recommendations as they currently are currently stated”

Arien Malec

Great point

The pass between HIT Policy Committee recommendations becoming regulations is going to be a long time

Recommendations as they currently exist should be the aim, even if they may end up being best practices with no enforcement mechanism in some cases, but regardless, the Direct Project organizations will abide by them

Pat Pyette

You can only agree with what is in front of you today, not what may come tomorrow

Next, a comment on Recommendation #6: We really want to be in concert with principle of minimum collection

However, a HISP doing just HISP work will not survive long in the marketplace, so the recommendation could identify other value added services

Language edit “service obligations of the HISP” rather than “function of exchange required”

May offer other value-added services, just needs to be disclosed

David Kibbe

Seems likely that once there are 35 or 112 HISPs, there will be some kind of association representing those organizations, and that they will all in effect represent an industry group that has a strong mutual interest in conducting business in a standardized manner within the framework we are discussing now

They may find a way to create a convention with respect to BA agreement to add additional

For now this is just a theoretical comment

We can’t over-determine how these organizations choose to behave in the future, but we can hope they will behave in line with ideals we set out

Arien Malec

1) Setting best practices for pilots so that at least with respect to the pilots we have some level of voluntary commitment to maintain public trust

2) Setting out rules that organizations have voluntarily adhered to, foster innovation, protect privacy and security, all of which could be an input to the governance process for the Nationwide Health Information Network, which could include rules for effective messaging

Distinction between regulation and voluntary associations --- Direct is voluntary

Other comments on Best Practices for HISPS document:

Will Ross makes the point that only a BA is inadequate for best practices

I think that’s what the best practices were acknowledging—BA is necessary but not efficient

Asked for volunteers for mini-review of Best Practices for HISPs document

Suggested a Round on if we address these topics, if we are ready to move forward

Round the Room: Will the Best Practices for HISPs document be ready if revisions discussed above are made? Are there volunteers to help review?

Laurie Tull

Will all of the best practices documents be rolled up into one big one, or will they be chapters?

Arien Malec

Great suggestion, would be a really nice thing to do

Thinks it is hard enough already to get the documents through consensus individually, so might make sense to send them through as chapters

Trying to take off logical chunks

Laurie Tull

Realizes it will be a work in progress

Right now they are trying to get best practices for the pilot programs, and not look further down the road

Rich Elmore

Happy to assist in follow up work

Can think through the implications of the document and help in that perspective, but would be good to have an expert on rules and proposed rules

Thinks the document will be complete after next round of review

Arien Malec

He does internal reviews with ONC, but they cannot actually make recommendations

Direct is all voluntary

Would be useful for someone in Direct to be involved in that level of review

John Williams

No comment

Michael Firriolo

No comment

Karen Witting

No comment

Gary Christensen

Is there anything we want to be talking about in terms of the “don’t look at the message” idea, as a best practice?

Arien Malec

The Policy Committee was looking into that

Don Jorgenson

Has a resource to offer for reviewing

Mark Stine

No comment

John Feikema

Is comfortable with review plan

David Kibbe

Has another CGC, lawyer he will ask to assist with reviewing

She is strong with regulatory law

Also willing to participate

Gary Christensen

Doesn’t want to lose track of the breach issue

Arien Malec

Also thinks breach issue is important to look at

It is the sender’s responsibility

Greg Chittim

Thought WG was tabling the discussion on this, but if moving forward will serve on review team